Timeline for Why is HTTPS not the default protocol?
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 1, 2015 at 15:52 | comment | added | Damian Yerrick | @Pacerier The first time a user follows a link using the https: scheme to a site using HSTS that isn't in the preload list, an HTTP proxy rewriting all links can rewrite the link to instead use the http: scheme. That's why the preload list exists, but no preload list is exhaustive. So long as the user stays behind stripping proxies, visits only sites not in the browser's preload list, never manually keys in the https: scheme, and never notices the lack of a lock icon in the right place, the user is unaware of any attack. | |
| Mar 28, 2015 at 23:58 | comment | added | Pacerier | @Dogeatcatworld, The question is asking why do browsers change the user's request (typing in the url) from web.com to http://web.com instead of https://web.com? | |
| Mar 28, 2015 at 23:56 | comment | added | Pacerier | @Alice, What do you mean HSTS can be stripped? | |
| Feb 19, 2015 at 2:48 | comment | added | Alice | @tepples HSTS is worse than useless, as it can also be stripped while providing a false sense of security of server owners. | |
| Feb 19, 2015 at 0:43 | comment | added | Damian Yerrick | You're describing the "SSL stripping" attack. Browsers have since implemented HTTP Strict Transport Security (HSTS) as a countermeasure, including HSTS preload lists and HTTPS Everywhere (essentially a third-party HSTS preload list). | |
| Aug 22, 2011 at 21:10 | history | answered | Dog eat cat world | CC BY-SA 3.0 |